It's Alarmingly Easy To Take North Korea's Internet Offline

The Sony hacking saga took an even stranger turn yesterday when
North Korea lost internet access for roughly 9 1/2 hours. The
cause of the outage can't be conclusively determined.

But it appears likely that the country's paltry web
infrastructure — which consists of a mere four networks and just
over 1,000 IP addresses — was the target of a distributed
denial of service attack (DDOS) conceivably
motivated in some way by the events surrounding last month's
Sony breach and the controversy surrounding The Interview.

The North Korean outage was both an utterly empty gesture and
evidence of how nearly anyone can spark a potential international
incident if sufficiently motivated to do so.

There are few countries where
the internet is less embedded in daily life than North Korea,
where web access is
severely curtailed and internet outages have almost no
practical impact on the vast majority of the population. And the
country's network is so underdeveloped, and so unprotected, that
any actor capable of launching a moderately-sized DDOS attack
could potentially take it down.

"The pool of people who could do this is prohibitively large,"
Doug Madory, the director of internet analysis at Dyn Research and the
analyst who first spotted the outage, told Business Insider
when asked to speculate as to who could be responsible. While
cautioning that the cause of outage still isn't known, Madory
says that the "the set of
actors, nation states, hacker groups or just angst-ridden
teenagers that know maybe too much about computers" is incredibly
vast, and would even include people without the technical
know-how to attack North Korea on their own.

"It's a commoditized service," Madory said of DDOS attack
capabilities. "It could be someone with no skills and just a
credit card who knows how to purchase this service and direct it
at an external router interface of North Korea."

Madory speculates that North Korea's entire internet
infrastructure handles about as much volume as a mid-sized office
in the United States. The trouble is that a country with nuclear
weapons, ballistic missiles, and
a standing army of around 700,000 personnel is probably much
easier to take offline than the average American retail
chain.

A look at North Korea at
night in early 2013.NOAA

The US State Department's
pointed refusal to deny responsibility for the outage shows
how even a technically simple hack can take on global
significance when nation states are involved. An unsophisticated
DDOS attack — one that wasn't even waged by the US, in all
likelihood — was almost immediately framed as part of a larger
geopolitical faceoff between the US and North Korea.

The reality is much more mundane. North Korea's web
infrastructure is small and highly vulnerable.

A chart depicting the
drop-off in web activity in North Korea during the December 23rd
outage.Dyn
Research

North Korea's connection to the global internet comes entirely
through China Unicom, a state-owned telecom giant based in
neighboring China. If the outage was the result of a DDOS
attack, China Unicom would have seen it unfold in real time and
might even have information that would help identify the
culprits. Both the company and its state owner have remained
silent.

The entirety of North Korea's global web traffic is directed
through China Unicom routers in Shenyang, an industrial city
about 110 miles west of the North Korean border.

"It doesn't seem like
there's not a lot of diversity in the physical path going between
China and North Korea," Madory explained.

There's only one route, at least speaking in more figurative,
networking terms. "When you look at their autonomous
system, there's a single peer and a single path to the Internet,"
Jason Lancaster, a senior threat analyst at Hewitt-Packard,
explained to Business Insider. An autonomous system is a
meta-network usually under the management of a single entity or
authority. The AS is one of the broader internet's principle
units of organization.

The entirety of web traffic in North Korea falls under a
single AS, which communicates with only one other AS that belongs
to China Unicom. "That link logically is a single
path," Lancaster told Business Insider.

That doesn't mean that it's
physically a single cable or just one room of routers or servers:
it isn't publicly known how many fiber-optic cables run under the
Chinese-Korean border. There's circumstantial evidence to suggest
the link isn't built to handle a high volume of traffic,
suggesting a limited physical as well infrastructure.

But that makes sense, because North Korea's web presence is
very small. AS131279, the AS covering North Korea's connection to
the global web, is the 29,517th largest in
the world by number of IP addresses hosted. It hosts 1,024 IP
addresses, 4 networks, 18 domains — and, tantalizingly, a single
adult domain.

The country's internet connection isn't just paltry. It's
also poorly secured. "We
have not observed any sort of advanced controls in place," says
Lancaster, "and previously when there's been attacks or outages
and these sorts of things they weren't particularly
well-managed."

This chart from Dyn Research shows that
North Korea is far from the only country vulnerable to an attack
that could knock the country off ot he internet for some period
of time. The map organizes countries "according to the Internet diversity at the
international frontier," with the darker-shaded countries
depending on fewer connections to the global web, as of November
of 2012.

As the map suggests, we may be in an era where an unaccountably
vast range of individuals and groups can wage a successful and
anonymous attack on a country's vital infrastructure with
relatively little trouble.

And one of those countries has
proven a willingness to mount provocative attacks against
US-based businesses — and to possess an illicit nuclear arsenal
as well. Yesterday's outage shows that it's perilously easy to
take a belligerent rouge-state offline, another troublesome
variable in the cyber-standoff unfolding across the
Pacific.